[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #26045 [Applications/Tor Browser]: Create a new MAR signing key for ESR60



#26045: Create a new MAR signing key for ESR60
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  reopened
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  GeorgKoppen201806,                   |  Actual Points:
  TorBrowserTeam201806                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Two additional bits of information that may help:

 1) I essentially used the key generation command as specified in our
 KeyGeneration doc, just adjusted to the new hash length. I.e. `certutil -d
 nssdb -S -x -g 4096 -Z SHA384 -n marsigner -s "CN=Tor Browser MAR signing
 key" -t,,`

 2) For signing I used the old script we had in the Gitian days,
 `signmars.sh` changed to check for the new cert9.db and to make sure it is
 using the new mar-tools (i.e. those built with the esr60 nightly).

 If you want to inspect the .der certs, I used `bug_26045` in my public
 `tor-browser-build` repo for building.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26045#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs